Norton patches firewall holes

Now you can also block advertising programs from checking out your system.

By Sean Captain
PC World, 08/01/00

Symantec has quietly modified its Norton Personal Firewall and Norton Internet Security 2000 products to block advertising programs that are sometimes dubbed "spyware."

The programs, called adbots, fetch banner ads over the Internet, but they also transmit encrypted data about the user back to the advertising companies. This function has earned them the "spyware" label among privacy and security advocates.

Firewalls are designed, in part, to give you control and choice over what goes into and out of your system while connected to the Internet. However, Symantec did not notify customers that its software was allowing the adbot programs to get through the firewall, and many Norton customers complained.

More than 400 free software products have adbots incorporated into them for a fee, say adbot distribution companies. TSAdbot from Conducent can be found in PKZip and other programs. Ad technology from Radiate (formerly Aureate Media), is used in such popular products as Go!Zilla.

Adbot companies say they compile data only to track the effectiveness of ads and to deliver targeted solicitations. Although they claim not to collect personal information, the firms do not specify exactly what is gathered.

Fishing for information

Conducent's Web site describes its practices in a section called "Information Collected in Content Delivery." There, it reports the company "collects non-personally identifiable information INCLUDING your operating system type and IP address." Radiate notes in its section on "Use of Unique Identifiers" that it "may use information such as browser type, operating system, and ISP, to both target advertisements as well as compile site demographics."

Those actions alone are a concern for many people, and critics such as security guru Steve Gibson of Gibson Research wonder what else the programs may report.

"The adbots transmit encrypted data, so we have no way of knowing what more they may be doing, if anything," Gibson says.

A number of Symantec customers complained about the company's policy of allowing adbots through the firewall products, so Symantec decided to revise the software, according to Symantec representatives.

"Because there is customer concern about it, we wouldn't be doing our customers any service by not alerting them," says Brendon Woirhaye, quality assurance manager at Symantec.

Some Norton critics allege the company had a business relationship with Radiate and Conducent, but Symantec has never had any formal contact with either company, says Tom Powledge, a senior product manager for Symantec's consumer products. He insists it is "absolutely not the case whatsoever" that Symantec had deals with the adbot makers.

Symantec purges its list

Symantec's Norton Personal Firewall monitors Internet data traffic and blocks suspicious activities, such as a hacker attempting to access your files. The software also watches applications that may open up security holes.

In theory, the firewall alerts you each time a new Internet application runs, asking whether you want to permit or block access. However, Norton tries to simplify the process by using an "application lookup engine," or ALE, of "known, trusted" Internet programs, such as Microsoft Internet Explorer or Qualcomm's Eudora Pro e-mail client. Without alerting the user, Norton automatically configures rules that allow such apps to access the Net.

"Basically, they are applications of trusted companies that we've looked at and analyzed," Woirhaye explains, although he concedes that Symantec has recently amended its analysis of adbots.

The application lookup engine in both Norton Personal Firewall and Norton Internet Security 2000 originally included entries for the Aureate and TSAdbot programs-meaning those programs were automatically approved-ad-fetching and information transmission functions and all. But the updated ALE, available as a free download only by using Norton's LiveUpdate automatic software update service, contains neither the Aureate nor the TSAdbot entries. When these programs run under the updated firewall, Norton alerts you and asks you to manually configure a firewall rule.

Symantec does instruct how to block adbots in an entry in its knowledge base. The document will take you step by step through the process of blocking adbots.

Here's how to start over

Simply using LiveUpdate may not change the way Symantec's security products handle adbots, however. If the adbot has run even once under your original firewall installation, the program has already configured its rules to permit Internet access.

The best way to wipe out the rules and start fresh is to uninstall Norton Personal Firewall or Internet Security 2000, reinstall the program, run Live Update immediately, and restart the system so it will configure firewall rules only using the latest application lookup engine. But it's hard to know what other "trusted" apps may lurk in the ALE. The current version has more than 700 entries, each contained in its own text file with a fairly cryptic filename.